Security Assessment and Recommendations

Running head: POTENTIAL WEAKNESSES

Security Assessment and Recommendations

by

School

Security Assessment and Recommendations

I have been charged with the task of identifying potential security weaknesses and recommending solutions for Quality Web Design (QWD). The project was completed in two phases. The first phase of the project specifically identified and defined two potential security weaknesses: software and policy. The second phase recommends solutions to these potential weaknesses. I chose a scenario that outlines specifics of the organization's type of business, business processes, assets, services, and security controls.

It is crucial for any organization to take necessary steps in securing their business' assets, and customer's data. Furthermore, it is also important for these security measures to be effective, and thoroughly planned. It is as equally important, in this interconnected and high-tech world, for corporations to also have and enforce an effective corporate security policy, because there are both internal and external threats (Symantec Corporation, 1995-2010).

Company Overview

Based on the scenario given, Quality Web Design is an IT corporation, with approximately 50-100 employees, offering top quality web design services for their customers. In order to appeal to their target audience and enhance services, they offer over 250,000 proprietary images and graphical designs. QWD's customers can only access their corporate website.

There business processes include the use of a repository of website templates, custom written scripts, and custom applications. This repository is used to monitor project development and quality assurance testing. Additionally, QWD offers IT support for their accounting, payroll, and marketing operations through the use of their digital assets. They utilize a Wide Area Network (WAN) and an internal Local

Area Network (LAN) for their offices.

There are strict technology-based access controls and a published corporate security manual that covers various security practices. Employees at QWD's corporate and remote offices have access to services that include Virtual Private Network (VPN), Outlook Web email, and Active Sync Exchange server.

Security Vulnerabilities

Listed below are two security vulnerabilities: software and policy. These were identified during my initial assessment of the scenario provided for QWD. These vulnerabilities are significant and should be addressed immediately.

Security Software

Many of QWD's employees work from remote locations and can access Virtual Private Network (VPN), Outlook Web email, and Active Sync Exchange services. They utilize corporate-owned laptops, desktops, and mobile devices (IPhones and Windows Mobile 6) to remotely access corporate intranet resources.

It is evident, by the scenario's hardware profile, that the company has hardware-based firewalls in place for network security. It is also evident in the WAN and corporate network diagrams (see Appendix). According to SANS Institute (2006), a VPN connection, in this case, offers secure connectivity between employees' computers and the corporate network. Furthermore, the VPN connection is there to provide data confidentiality, data integrity, and authentication services (SANS Institute, 2006, pp. 4).

Having said this, it appears that QWD is not protected with firewall software on their employee's remote computers. This means that these remote computers are not protected from personal attacks from the Internet. According to Beal (2010, pp. 3), "the best protection for your computers and network is to use both" hardware and software firewalls. These attacks include Trojan horses and email worm and the whole idea of software firewall is to protect the "computer from outside attempts to control or gain access" to it (Beal, 2010, pp. 3). An intruder can use an employee's compromised system to gain entry to the corporate network through an open VPN connection. Such an attack, using an open VPN connection, can be detrimental to the company's business processes, particularly their repository of website templates, custom written scripts, and custom applications; and, their accounting, payroll, and marketing operations. An attack to these mission-critical processes can mean a decrease in the organization's revenue; client's personal information being accessed, modified, or even deleted; and even degraded network performance. QWD would lose significant clientele and would not be as appealing to their target audience - not so good for their mission of providing top quality services.

Policy

Reducing the exposure of the corporate network from outside attacks is crucial in protecting mission-critical processes for QWD. The security assessment doesn't end with software firewalls for their remote users. The company's security policy must also address this vulnerability.

QWD has policy in place that speaks to who has access

...